-
1. Re: org.jboss.seam.security.management.authenticatedUser
andre.eugenio Sep 4, 2008 3:38 PM (in response to nimo22)I saw your http://www.seamframework.org/Community/LoginUserAtMostOnceTime thread and I'm going try to help (but I'm new to seam as well).
AFAIK seam doesn't have anything to support this, you have to implement it.
To archive this you need to keep a List with all logged users in application scope with the UserID and SessionID and prevent the user to log in again if the UserID is already stored in the List (on Application Scope).
But you have to implement a way to the user override the sessionID stored on the application scope to a new one because the hardest part to prevent the user log in with another browser, workstation, etc is how to handle the log out because the browser is not
connected
with the web server.If the user don't log out of your application they will won't be able to log in again until any expiration mechanism take care.
To add a user to the Application Scope you can use the seam loginSuccessful event.
To remove the user when he log out you can extend seam Identity class and override the logout method.
To expire i guess the best way is to create a POJO servlet that implements HttpSessionBindingListener interface (you can google it for examples).Hope this help.
Cheers, Andre.
-
2. Re: org.jboss.seam.security.management.authenticatedUser
nimo22 Sep 4, 2008 4:14 PM (in response to nimo22)Hello thanks,
I have successfully implemented this scenario:
I have a Map with User,Session in my ApplicationScope controlling if the User is already logged to avoid to login in different browsers. That works well.
But what about, if I want to destroy the User-Session of the User who has logged in before and log in the latest User. I cannot retrieve the User-Instances from the JPAIdentityStore to destroy the User-Session. This is, what I want.
Where can I find this User in my JPAIdentityStore-Instance stored in the ApplicationScope?
FacesContext facesContext = FacesContext.getCurrentInstance(); Application application = facesContext.getApplication(); application.getClass()....?????
-
3. Re: org.jboss.seam.security.management.authenticatedUser
nimo22 Sep 4, 2008 4:24 PM (in response to nimo22)Imagine this scenario, I have an admin-page and want to be able to destroy the session of the users who are logged in..
-
4. Re: org.jboss.seam.security.management.authenticatedUser
andre.eugenio Sep 4, 2008 4:25 PM (in response to nimo22)FacesContext facesContext = FacesContext.getCurrentInstance(); Object target = context.getExternalContext().getApplicationMap().get("nameOfYOurObjectWhen YouStoreOnTheMap");
Example
MyCustomObject object = new MyCustomObject(); FacesContext facesContext = FacesContext.getCurrentInstance(); context.getExternalContext().getApplicationMap().put("toApp", object); MyCustomObject object = (MyCustomObject)context.getExternalContext().getApplicationMap().get("toApp");
Regards.
-
5. Re: org.jboss.seam.security.management.authenticatedUser
nimo22 Sep 4, 2008 5:12 PM (in response to nimo22)I have done that before, thanks. I can store and retrieve the values of my application-scope. That is not the problem.
The problem is, to retrieve the actual instance from the IdentityStore in which all actual user-instances are located.
Something like:application.getClass().forName(
org.jboss.seam.security.identity
).getMethods(...) -
6. Re: org.jboss.seam.security.management.authenticatedUser
andre.eugenio Sep 4, 2008 6:54 PM (in response to nimo22)I don't know either how to access the way you want.
But I guess you can invalidate the desired session in a Servlet Filter when the request arrives.
For this this create a new Map in the Application Context and just check if the ID of the current request is invalid in the List.Example:
public class invalidateSession extends HttpServlet { public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { HttpSession session = req.getSession(true); // get the actual session if (!session.isNew()) { // skip new sessions // test the actual session in the Map of the sessions to be invalidated session.invalidate(); } // Continue processing... } }
-
7. Re: org.jboss.seam.security.management.authenticatedUser
nimo22 Sep 4, 2008 9:48 PM (in response to nimo22)Thanks, but this does meet my problem.
Destroy a session with:
org.jboss.seam.web.Session.instance().invalidate();
Logout a user with:
Identity.logout
Get the instance of a Class stored in the Application-Scope with:
JPAIdentityStore a = (JPAIdentityStore ) Contexts.getApplicationContext().get("org.jboss.seam.security.jpaIdentityStore");
But the fact is:
It is useless to store the User and its Session into a Map in the Application-Scope and delete this User and its Session from this Map - it does not logout the user as its session still exists in another value elsewhere in the Application-Scope (Identity-Instance or the like?).
I have no convenient method in my IdentityManager to say,
hey, this user is logged out by me, the administrator
. I cannot say for exampe:Identity.logout(Username)